Industry CMO on the Downstream Risks of "Logo Disclosures"

Jennifer Leggio, chief marketing officer at Flashpoint, is an executive with more than a decade's experience in managing corporate cyber security marketing at the highest levels -- much of the time seeking and advocating a greater ethical stance in marketing. At last month's Hack in the Box Conference in Amsterdam, she delivered a keynote presentation entitled, 'A Risk Assessment of Logo Disclosures'.

The basic premise is that failures in the coordinated approach to vulnerability disclosures can seem attractive from an initial marketing perspective, but are damaging to both the industry and its users. The ultimate problem comes from the different missions between security product development and sales teams: the first is purposed to reduce harm, while the latter is purposed to sell product.

In between these teams sit the researchers, whose function is to find weaknesses in security products so that they can be strengthened, and their users better protected. Researchers wish to have their expertise acknowledged, while developers wish to fix their products securely. Between them they have evolved the process known as coordinated disclosure: researchers report their findings to the developer who fixes the faults, and both coordinate simultaneous disclosure of the vulnerability and its fix.

It's a process -- when it works -- that ensures the developer fixes the product as rapidly as possible, while the vulnerability does not become a zero-day exploit for use by cybercriminals, overseen by a CERT 'referee'. The problem comes from undue pressure from marketers, possibly supported by the firm's business leaders. This is the subject of Leggio's keynote presentation: the violation of disclosure process to try to diminish competitors, sell more product, or unethically highlight research prowess.

It's a complex issue because it cuts both ways. Research firms, probably at the behest of marketing, can disclose vulnerabilities ahead of coordination to maximize the publicity of their discovery (and therefore, their visible expertise). Similarly, developers can usurp the agreed coordination date to get fixes out before there is any indication that there was a vulnerability, thereby minimizing any perceived product weakness and negative criticism.

Two days later, Trail of Bits blogged that they had earlier been retained by CTS to confirm the existence of the AMD flaws -- which they did -- but commented, "Our recommendation to CTS was to disclose the vulnerabilities through a CERT." CTS did not follow this advice. This allowed the controversial company Viceroy Research to publish a statement on the same day as CTS disclosed the vulnerabilities:

"These findings demonstrate that AMD’s key products, and it basis for profitability and growth, the EPYC and Ryzen processors, contain severe and pervasive security flaws that put users and organizations at an unacceptable and damaging risk."

This statement bears all the hallmarks of an attempt to short AMD stock. In January, Moneyweb had described Viceroy Research as a "three-man firm... headed by a previous social worker and two Australian youngsters." It concluded, "there are doubts as to whether Viceroy conducts its own research or if it is merely a front for other investors that seek to avoid the limelight but profit from it."

It is possible, then, that unknown investors immediately attempted to profit from the uncoordinated disclosure -- a perfect example of the downstream risks highlighted by Leggio.

But it's not just the researchers that sometimes break the process. Also in March 2018, Core Security released details of a vulnerability in router manufacturer MikroTik's RouterOS. Core and MikroTik agreed on coordinated disclosure, but just before the agreed date, MikroTik quietly fixed the flaw in an OS update. Whether by design or accident, this allowed the manufacturer to avoid making any disclosure or public recognition of the pre-existing vulnerability.

The risk here is to the end user. Without ever hearing about potential problems, the user can easily assume that there are no problems. It's a false sense of security that is patently dangerous since compromised MikroTik routers are an important part of IoT botnets. According to one firm, compromised MikroTik routers comprised 80% of a botnet (probably Reaper) that was used in a DDoS attack against Dutch financials in January 2018.

It is such downstream risks of upfront marketing-led breaches of the coordinated disclosure process that Leggio discussed in her keynote presentation. Key to her proposal is the introduction of an ethics or 'standards desk' overseeing marketing decisions just as some newspapers have a standards desk overseeing the more contentious news stories.

Marketing teams pushing for external disclosure, she told SecurityWeek, "should have it go through an ethical evaluation to ensure that it's not compromising any bigger picture -- like an LEA investigation -- and/or is not tipping-off a cybercriminal that there might be an exploit in their malware that could help law enforcement. You're basically using coordinated disclosure to help cyber criminals harden their own stuff -- needs to be some review there."

It requires, she added, "a shift in culture and a shift in mindset, making sure that business leaders understand that their sales teams, their marketing teams, their finance teams, their legal teams and so on, are all responsible for making sure that there is an ethical delivery in the message."

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.